Raul, I can send you a signed XML document without external references (it's easier to manage) that have been signed using XML Security V1.3.
- The document is valid with Apache XML Version 1.3 - The document is valid with IBM XSS4J toolkit - the document is NOT valid with Apache XML version 1.4 Is It what you need ? Moreover, I think it will be great to add a regression test as I have. Document signed with version 1.3 must be valid with higher version. Regards. Yvan Hess -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: mercredi, 9. août 2006 12:02 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly Hi Hess, Sadly it is going to take me more time to reprduce this. I have finished my vacation(that is when I work with xml-sec). I can revert my changes and go with the old 1.3 implementation of xpath2 filter, but it will be very sad, as it is very slow compare to the new one ( o(n2) vs. o(n) ). The problme is that the test cases only has one example of xpath2 transformation. If you can give us more I can debug the implementation better. If not I have to create them and check what should be the correct c14n, this takes me "long" time(1 hour, but currently I can only reserve half an hour for xml-sec hacking). So if you can provide me a failling example I can speed up this process. Sorry. Regards, Raul On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > When you have a new version correcting the bug, please inform me and I will > one more time execute my Junit tests and I will give you a feedback. > > Regards. Yvan > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > Sent: lundi, 7. août 2006 18:41 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Then it is a bug that I introduce rewriting xpath2 filter. I will try to > reproduce it with a xfilter with only intersect nodes. > > Thanks, > Regards, > > Raul > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > I don't think so because I have a transform <ds:Transform > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a > > element of my XML document that doesn't include the signature itself. As I > > said, it was working like that prior to version 1.4. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > Sent: lundi, 7. août 2006 17:21 > > To: security-dev@xml.apache.org > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > Hi Hess, > > It seem to me that you need to use also enveloped signature transformation. > > The Reference="" is including the signature and this is a problem when > > signing, it depends in the order of doing the reference your going to > > obtain different digest values. > > What do you think,can it be your case? > > > > Regards, > > > > Raul > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > It will be difficult to send you a test case because all my test cases > > > are based on my library (that is also bind to others library). I can try > > > to do debugging to help you to isolate the problem or to solve it :-). > > > First a good Junit test case that you can introduce into XML security > > > JUnit tests is something similar to my TEST 2 (Signature with XML > > > security and verification with IBM toolkit XSS4J). In this case you are > > > sure that the signature has been corectly be generated and is valid. > > > > > > Here is the signature of my XML document I am using into the context of > > > my test case. As you can see I am signing one part of the XML document > > > and two external binary documents. The problem seems to come from the > > > first Reference (<ds:Reference URI="">). The digest value doesn't match > > > after signature verification. The digest values of the two external > > > reference matches. > > > > > > <edoc:SignatureBlock id="Revision-1-Signature-1"> > > > <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> > > > <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> > > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > > <ds:SignedInfo> > > > <ds:CanonicalizationMethod > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > <ds:SignatureMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > > <ds:Reference URI=""> > > > <ds:Transforms> > > > <ds:Transform > > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > > > <dsig-xpath:XPath > > > xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; > > > Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> > > > </ds:Transform> > > > </ds:Transforms> > > > <ds:DigestMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> > > > </ds:Reference> > > > <ds:Reference > > > URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> > > > <ds:DigestMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> > > > </ds:Reference> > > > <ds:Reference > > > URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> > > > <ds:DigestMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> > > > </ds:Reference> > > > </ds:SignedInfo> > > > <ds:SignatureValue> > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZO > > > wP > > > GY > > > izLB4P > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4f > > > vMa8f4sHx8onoVt+jD > > > vMa8f4sHx8onoVt+UL > > > vMa8f4sHx8onoVt+dk9Zhw > > > vIN/+eBfirtyCcbTb1w= > > > </ds:SignatureValue> > > > <ds:KeyInfo> > > > <ds:X509Data> > > > <ds:X509Certificate> > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > > > </ds:X509Certificate> > > > <ds:X509Certificate> > > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... > > > </ds:X509Certificate> > > > </ds:X509Data> > > > </ds:KeyInfo> > > > </ds:Signature> > > > </edoc:SignatureBlock> > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > Sent: lundi, 7. août 2006 16:21 > > > To: security-dev@xml.apache.org > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > Can you open a bug report and attach a test case? > > > This will help a lot. > > > > > > Regards, > > > > > > Raul > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > Hi, > > > > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > > > document correctly. I developped a Java library that uses XML > > > > security to sign/verify and to encrypt/decrypt XML documents. > > > > When I executed my JUNIT tests, they failed when XML document are > > > > verified. I have two tests that failed: > > > > > > > > TEST 1: The XML document is already signed (with XML security > > > > version > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). > > > > This test failed using version 1.4 but was ok with precedent versions. > > > > > > > > TEST 2: The XML document is signed with XML security V1.4Beta1 > > > > and is verified with IBM XSS4J toolkit. This test failed using > > > > version > > > > 1.4Beta1 but was ok with precedent versions. > > > > > > > > I think it is a critical bug...Please can you help me > > > > > > > > Regards. Yvan Hess > > > > > > > > > > > > > > > > > -- > > > http://r-bg.com > > > > > > > > > -- > > http://r-bg.com > > > > > > > > > -- > http://r-bg.com > > > -- http://r-bg.com
